Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serious Security Flaw: API Requests from localhost #1405

Closed
lukasmahl opened this issue Mar 18, 2020 · 3 comments · Fixed by #1407
Closed

Serious Security Flaw: API Requests from localhost #1405

lukasmahl opened this issue Mar 18, 2020 · 3 comments · Fixed by #1407
Labels

Comments

@lukasmahl
Copy link

Hi guys,

While checking our your API I've found a serious security flaw, which allows any unauthenticated user to perform any kind of API requests, which basically makes the whole tool and therefore any agents on end hosts exposable to anyone having access to the Caldera REST API.

The following function is responsible for checking authentication in your code:

async def check_permissions(self, group, request):
        """
        Check if a request is allowed based on the user permissions
        :param request:
        :return: None
        """
        try:
            if request.headers.get('KEY') == self.get_config('api_key'):
                return True
            elif self.bypass in request.host:
                return True
            await check_permission(request, group)
        except (HTTPUnauthorized, HTTPForbidden):
            raise web.HTTPFound('/login')

Basically it allows to bypass authentication if self.bypass is contained within request.host (which is set to localhost: per default). You are using the aiohttp library, in which host is usually the Host header of the http request (see https://docs.aiohttp.org/en/v3.0.1/web_reference.html).

This works fine if you are performing a curl request from localhost for example, but be aware that the HTTP Host header is mutable for any request performed by a user. So if you just overwrite the Host header with "localhost:8888" while performing a request to a public IP for example Caldera assumes you are performing the request to localhost and therefore disables authentication checks.

Here is a POC in Postman:
Screenshot 2020-03-18 at 15 53 51

Body of the request:
Screenshot 2020-03-18 at 15 53 59

Response:
Screenshot 2020-03-18 at 15 54 06

As you can see I've succesfully performed an API request while using a IP within my network and not localhost. I've set the Host header to localhost and were able to fetch details without any authentication.

That really is a serious flaw in the application, if I have running productive agents an attacker can execute arbitrary commands in my network. I'd suggest removing the no-authentication "feature" for requests to localhost completely.

Thanks!

@khyberspache
Copy link
Contributor

We put this is for simplicity of debugging/accessing from the local system. Good catch, I have an idea for a patch to keep the capability, but break this flaw.

@khyberspache
Copy link
Contributor

@privateducky

@privateducky
Copy link
Contributor

hi @lukasmahl thanks for the issue post-- we reviewed and agreed that the bypass is not a necessary, so we just dropped it in the latest PR. we'll post some docs around how to use the API key within a browser/header session so folks who use it can still have the convenience on their laptops if they want it.

@khyberspache khyberspache linked a pull request Mar 18, 2020 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants